Medical Devices Are The Weak Link

Uploaded on 2016-12-01 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Health & Welfare

For many users of Johnson & Johnson’s OneTouch Ping insulin pump, the benefit of ease of use has been outweighed by the fear of hacking.

In early October, the company sent letters to patients using the devices, alerting them to the fact that the OneTouch contained a cybersecurity flaw that could allow a hacker to reprogram the device to administer additional doses of the diabetes drug, which could be life-threatening.

In its letter to patients, Johnson & Johnson portrayed the risk as minimal. “The probability of unauthorized access to the OneTouch Ping System is extremely low,” it noted. “It would require technical expertise, sophisticated equipment and proximity to the pump.”

A spokesman for the company says it’s working to eliminate the vulnerability; it has laid out a series of steps patients can take to reduce the risk, such as turning off the pump’s wireless connection to a blood-sugar meter, or setting a limit on the amount of insulin that can be delivered.

The announcement is yet another stark reminder of known security issues that exist with medical devices, widely used by both providers and patients. Indeed, this is not the first time concerns have surfaced about the ease of hacking medical devices.

In mid-2015, the Food and Drug Administration took the unprecedented step of alerting users about cybersecurity vulnerabilities of the Hospira Symbiq Infusion System. The agency strongly encouraged healthcare facilities to discontinue use of the pumps.

And the FDA is not the only federal agency shining a spotlight on the vulnerabilities of medical devices. In 2014, the Federal Bureau of Investigation issued a report that predicted hackers could assail medical devices, and followed that up with an alert last year warning companies and the public about cybersecurity risks to networked medical devices and wearable sensors.

The threat to patient safety carries the biggest shock value, and healthcare organizations are widely concerned about those risks.

But the devices also pose risks to the networks of healthcare organizations, because they typically have weak defenses against malware and a medical device could serve as an easy entry point to providers’ internal data networks.

Security experts and federal officials say the devices could become the focal point of a perfect storm for compromising healthcare data security and placing patient safety at risk. That’s because the vulnerability of devices to cyber-attacks is well known, and hackers are becoming emboldened to find new ways to attack healthcare organizations.

Most security professionals are worried about the vulnerability of a myriad of networked medical devices that have Internet connectivity, from infusion pumps and X-ray scanners to picture archiving and communications systems, blood gas analyzers, medical imaging devices, medical lasers, life support equipment and many more.

These devices are expensive and last a long time, and providers may have them in place for five, 10 or 15 years or more, says Axel Wirth, healthcare solutions architect for Symantec. Software running the devices may be years old as well, and typically not easily protected by cyber defense software. 

What’s more, in many cases the devices are managed just by the manufacturer’s technicians, not a provider’s IT security staff.

Information Management:                  Medical Devices Vulnerable to Hackers:
 

« UK National Cyber Security College Locates To Bletchley Park
War In The Information Age »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Cast Software

Cast Software

CAST is a pioneer in Software Analysis and Measurement (SAM) to capture and quantify the reliability and security of business applications.

Simula Research Laboratory

Simula Research Laboratory

Simula Research Laboratory carries out research in the fields of communication systems, scientific computing and software engineering.

Towergate Insurance

Towergate Insurance

Towergate Insurance is a leading UK specialist insurance broker. Business products include Cyber Liability Insurance.

Silverfort

Silverfort

Silverfort introduces the first security platform enabling adaptive authentication and identity theft prevention for sensitive user, device and resource throughout the entire organization.

Cyber Discovery

Cyber Discovery

Cyber Discovery, the UK Government's Cyber Schools Programme, is a learning programme designed to give young people the opportunity to learn the skills needed to enter the cyber security profession.

California Cybersecurity Institute (CCI) - Cal poly

California Cybersecurity Institute (CCI) - Cal poly

The CCI provides a hands-on research and learning environment to explore new cyber technologies and train and test tactics alongside law enforcement and cyberforensics experts.

Quantstamp

Quantstamp

Quantstamp are experts in Smart Contract Security Audits. We provide verification that your decentralized system works as intended.

FraudScope

FraudScope

FraudScope is an AI-assisted platform that accelerates the identification of fraud, waste, and abuse.

Police Digital Security Centre (PDSC)

Police Digital Security Centre (PDSC)

PDSC is a not-for-profit organisation, owned by the police, that works across the UK in partnership with industry, government, academia and law enforcement.

WidePoint

WidePoint

WidePoint Corporation is an innovative provider of Trusted Mobility Management (TM2) solutions.

Vantea SMART

Vantea SMART

Vantea SMART have decades of experience in cybersecurity resulting in an approach of proactive prevention - Security by Design and by Default.

Mobileum

Mobileum

Mobileum is a leading provider of Telecom analytics for roaming, security and risk management and end-to-end domestic and roaming testing solutions.

Strata Identity

Strata Identity

Strata is pioneering identity orchestration to unify on-premises and cloud-based authentication and access systems for consistent identity management in multi-cloud environments.

ORS Consulting

ORS Consulting

ORS Consulting is a specialist provider of risk management advisory services supporting asset-intensive industries such as chemicals, energy, power and utilities, defence and maritime.

Zorins Technologies

Zorins Technologies

Zorins Technologies is a leading IT company providing IT networking Equipment and expertise in managed services, consulting, and cybersecurity.

Hopper Security

Hopper Security

The Future of Open-Source Risk Management Starts Here. We built Hopper to make sure you can harness the power of Open-Source safely and effectively.